Florian Wilkens, Felix Ortmann, Steffen Haas, Matthias Vallentin, Mathias Fischer
{"title":"基于杀伤链状态机的多阶段攻击检测","authors":"Florian Wilkens, Felix Ortmann, Steffen Haas, Matthias Vallentin, Mathias Fischer","doi":"10.1145/3474374.3486918","DOIUrl":null,"url":null,"abstract":"Today, human security analysts need to sift through large volumes of alerts they have to triage during investigations. This alert fatigue results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over long time frames and attackers tread carefully to evade detection mechanisms. In this paper, we contribute a new method to synthesize scenario graphs from state machines. We use the network direction to derive potential attack stages from single and meta-alerts and model resulting attack scenarios in a kill chain state machine(KCSM). Our algorithm yields a graphical summary of the attack, called APT scenario graphs, where nodes represent involved hosts and edges infection activity. We evaluate the feasibility of our approach by injecting an APT campaign into a network traffic data set containing both benign and malicious activity. Our approach then generates a set of APT scenario graphs that contain our injected campaign while reducing the overall alert set by up to three orders of magnitude. This reduction makes it feasible for human analysts to effectively triage potential incidents.","PeriodicalId":319965,"journal":{"name":"Proceedings of the 3rd Workshop on Cyber-Security Arms Race","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":"{\"title\":\"Multi-Stage Attack Detection via Kill Chain State Machines\",\"authors\":\"Florian Wilkens, Felix Ortmann, Steffen Haas, Matthias Vallentin, Mathias Fischer\",\"doi\":\"10.1145/3474374.3486918\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Today, human security analysts need to sift through large volumes of alerts they have to triage during investigations. This alert fatigue results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over long time frames and attackers tread carefully to evade detection mechanisms. In this paper, we contribute a new method to synthesize scenario graphs from state machines. We use the network direction to derive potential attack stages from single and meta-alerts and model resulting attack scenarios in a kill chain state machine(KCSM). Our algorithm yields a graphical summary of the attack, called APT scenario graphs, where nodes represent involved hosts and edges infection activity. We evaluate the feasibility of our approach by injecting an APT campaign into a network traffic data set containing both benign and malicious activity. Our approach then generates a set of APT scenario graphs that contain our injected campaign while reducing the overall alert set by up to three orders of magnitude. This reduction makes it feasible for human analysts to effectively triage potential incidents.\",\"PeriodicalId\":319965,\"journal\":{\"name\":\"Proceedings of the 3rd Workshop on Cyber-Security Arms Race\",\"volume\":\"41 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-03-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"13\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 3rd Workshop on Cyber-Security Arms Race\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3474374.3486918\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 3rd Workshop on Cyber-Security Arms Race","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3474374.3486918","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Multi-Stage Attack Detection via Kill Chain State Machines
Today, human security analysts need to sift through large volumes of alerts they have to triage during investigations. This alert fatigue results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over long time frames and attackers tread carefully to evade detection mechanisms. In this paper, we contribute a new method to synthesize scenario graphs from state machines. We use the network direction to derive potential attack stages from single and meta-alerts and model resulting attack scenarios in a kill chain state machine(KCSM). Our algorithm yields a graphical summary of the attack, called APT scenario graphs, where nodes represent involved hosts and edges infection activity. We evaluate the feasibility of our approach by injecting an APT campaign into a network traffic data set containing both benign and malicious activity. Our approach then generates a set of APT scenario graphs that contain our injected campaign while reducing the overall alert set by up to three orders of magnitude. This reduction makes it feasible for human analysts to effectively triage potential incidents.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
